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CRYPTOGRAPHIC SYSTEM WITH CONCEALED WORK FACTOR 

V 
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Field of the invention 
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The present invention relates to cryptographic 
systems, and, more particularly, to a method and 
apparatus for generating cryptographic keys with a 
concealed work factor. The system provides a high 
apparent work factor to maintain a high level of 
security against attackers. At the same time, with 
knowledge of a secret distribution key, a 
governmental agency is presented with a lower work 
factor. 

Background of rh P invpnt-inn 

A cryptographic system uses cryptographic keys 
to secure data. Clear text is transformed into cipher 
text by the use of at least one cryptographic key 
which is known at the transmitter and delivered to 
the receiver for use in decryption of the cipher 
text. The size (e.g., length) of the cryptographic 
key is one measure of the level of security provided 
2 0 by the cryptographic system. For example, for the 

commonly used Data Encryption Standard (DES) , the key 
length is 56 bits. Thus, since each bit can assume 
one of two possible values (e.g., 0 or 1) , up to 2 S£ 
attempts would be required to discover a given 
cryptographic key using a trial and error approach. 
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Discovery of the key generation sequence is 
another form of attack on the system. Generally, 
cryptographic keys are typically changed often to 
thwart trial and error attacks. The rate of key 
5 generation is a measure of cryptographic agility. 

Changing the key often makes it more difficult to 
discover the key because the key is not used for very 
long. For example, it may be acceptable to provide 
only one key for a two hour video program where a 
10 security breach is not critical. Alternatively, when 

a significant level of security is required, several 
(e.g., ten) new keys may be generated each second. 
In any case, the attacker could have access to some 
sequence of the cryptographic keys during the normal 
15 operation of a cryptographic system. For example, 

the attacker may gain access to the sequence of keys 
by becoming a legitimate subscriber of an information 
service. Over time, the attacker could observe and 
collect a large number of valid cryptographic keys. 
The attacker could then use these keys to extrapolate 
or guess the method of key generation. 

Since the number of possible keys increases with 
bit length, the longer the bit length of a 
cryptographic key, the more difficult the task of 
25 discovering the key sequence. Thus, cryptographic 

keys with longer bit lengths are more desirable since 
they generally provide a more secure system, with all 
other factors being equal. 

However, cryptographic security systems are 
3 0 subject to strict controls by governmental 

authorities. Laws vary from country to country, but 
almost all industrial nations control the strength of 
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security-related products that cross their borders. 
Some nations such as the United States control export 
only, while others, such as France, control both 
export and import. Companies that manufacture 
5 products that use cryptography must design their 

products to conform to various governmental 
regulations to import or export their products to 
foreign markets. Moreover, oftentimes, manufacturers 
must produce different versions of their products for 
10 different countries. This introduces additional 

development expenses and complexity. 

Typically, cryptographic strength is controlled 
by limiting the number of bits in the keys, and 
consequently, the number of possible unique keys. 
15 For example, the DES algorithm could be exported for 

satellite television conditional access applications 
if the 56-bit key is reduced to 4 0 bits by fixing 16 
bits to a constant (e.g., zero). Similarly, in the 
DVB Common Scrambling Algorithm, a 64 bit key could 
20 be reduced to a 48 bit key by fixing 16 bits. 

However, while reducing the cryptographic key bit 
length satisfies governmental authorities, it also 
weakens the cryptographic strength of conventional 
systems. Accordingly, it would be desirable to 
25 provide a cryptographic system that can be easily 

weakened to satisfy government requirements, but 
which is not weakened for the purpose of defending 
against hostile attackers. The system should thus 
provide a level of security to attackers that is 
3 0 greater than the level presented to a governmental 

agency. Furthermore, the system should include a 
common encryption engine which can be adapted to 
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different key bit-length requirements by a simple re- 
programming at the time of manufacture. The present 
invention provides the above and other advantages. 
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SUMMARY OF THE INVENTION 

In the present invention, the number of possible 
cryptographic key combinations can be reduced in a 
manner that is not known to an attacker. The key has 
a large bit-length that provides a high security 
level and maintains a burdensome analysis task for a 
prospective attacker. But, with knowledge of a 
secret distribution key, the number of possible key 
combinations (e.g., the key space size) can be 
reduced to provide a lower security level that 
satisfies governmental requirements. In particular, 
a larger key length of, for example, B-56 bits is 
used. With knowledge of the secret distribution key, 
the S=2 available key combinations can be reduced 
15 to a subset (e.g., W-2 40 ) of key combinations. To 

conceal the fact that a subset of the larger set of 
keys is used, the selected subset is distributed 
throughout the larger set of keys using a random 
process or some other process that is unknown to an 
20 attacker. Up to 2 40 56-bit keys can be produced in 

this manner for cryptographically processing a clear 
text message. 

The governmental agency can be informed of the 
2 keys out of the total possible 2 56 keys which are 
25 used. On the other hand, the attacker has no 

knowledge that only a subset of keys is used. Even 
if the attacker knew that only a subset of 2 56 keys 
was used, he still cannot identify the subset. 
However, the governmental agency can determine which 
3 0 key is in use at a given time through, for example, a 

comprehensive list of the 2 40 56-bit keys, or through 
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a secret key or other algorithm which allows 
production of such a list. Note that the governmental 
agency is faced with the same amount of work, or 
''work factor", (e.g., performing W=2 40 trials) 
regardless of the bit length of the keys on their 
list since the work factor is determined by the 
number of possible different keys. An attacker, 
however, cannot create this list, and must therefore 
check all possible 56-bit key combinations. in the 
above example, the attacker would need to check all 
2 56-bit keys, which is much more effort than that 
facing the governmental agency. The work factor can 
therefore be viewed as the average number of trials 
that must be performed to determine the keys of the 
cryptographic system. The work factor will be lower, 
for instance, for a person who knows that the keys 
are generated in a particular (e.g., non-random) 
order, with a particular starting point, and in a 
particular sequence. 

The attacker is thus faced with a level of 
difficulty (work factor) identical to that provided 
by a 56-bit key, while the government agency is faced 
with a level of difficulty provided by a 4 0-bit key. 
Accordingly, the conflicting goals of designing a 
system that meets governmental regulations while 
maintaining cryptographic strength are achieved. 

In another aspect of the present invention, a 
key sequence generator for generating a subset of 
cryptographic keys out of a larger set is disclosed. 
In particular, a key generator for generating 2 B ~ F 
cryptographic keys out of a possible 2 B cryptographic 
keys uses a secret double or triple DES key in a 
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hashing algorithm to randomly distribute a key space 
corresponding to 2 B ~ F -bit keys over a larger key 
space which corresponds to 2 B -bit keys, m this 
manner, the 2 different keys can be generated as 
required by the governmental agency, thereby avoiding 
the need to store the keys in a large memory. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of an encryption 
system in accordance with the present invention . 

Figure 2 is a block diagram of a decryption 
system in accordance with the present invention. 

Figure 3 is a block diagram of a key sequence 
generation method in accordance with the present 
invention. 

Figure 4 is a block diagram of a key sequence 
generator in accordance with the present invention. 



• 
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DETAILED DESCRIPTION OF THE INVENTION 

The present invention provides a method and 
apparatus for generating cryptographic keys which 
provide a high work factor for a potential hostile 
attacker, yet can also present a lower work factor to 
conform to governmental regulations. 

A cryptosystem with keys of size B bits allows 
S=2 possible unique keys. The number of keys 
available (e.g., the key space) is typically much 
larger than needed over a system's useful lifetime. 
This is desirable since keys should not be repeated, 
and a large number of. unused keys should always 
remain. A cryptosystem changes to a new key at a 
rate of R keys per second (kps) . When the useful 
15 lifetime of a system is Z seconds, which may 

correspond to a period of several years in some 
cases, the total number of keys used over the system 
lifetime is RZ. RZ should be much smaller than the 
total number S of available keys in order to maintain 
20 a large number of unused keys (e.g., RZ « S) . After 

the system lifetime RZ has elapsed, the system is 
considered to be obsolete and no additional keys are 
produced . 

An attacker or attacker of the system keys can 
25 thus obtain new keys at the rate R kps. After a time 

period t has elapsed (where t<Z) , the observer will 
have seen at most Rt keys, where Rt < RZ«s. The 
strength of the system is directly related to the 
advantage gained by an attacker who observes these Rt 
3 0 keys. If Rt keys can be used to somehow extrapolate 

or guess the method of generating all the keys, then 
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the attacker may be able to determine all subsequent 

keys for the remaining life of the system, and the 

system will be compromised. 

Generally, for a cryptographic system with 

5 cryptographic keys having a length of B bits and 2 B 

possible cryptographic key combinations, the present 

invention provides a system wherein, with knowledge 

of a secret distribution key, a reduced number of 

cryptographic key combinations comprising 2 N =2 B ~ F key 

10 combinations can be derived. The reduced number of 

key combinations can be derived by fixing a number F 

of the B bits in each key. Generally, it is hard to 

hide the fact that a system has some number F of key 

bits fixed to a known value. That is, discovery of 

15 the F fixed bits is very probable. For example, a 

DES key with B=56 bits reduced to N =40 bits (F=16) 

will be obvious after only 2 or 3 such keys are 

observed if each key has the same F bits in the same 

places. It is extraordinarily unlikely that a 

succession of B=56 bit words will be observed by 

chance where the last F=16 bits of each word are 

fixed to zero. Specifically, with a number of 

observations M, the probability P of the same F bits 
-MF 

agreeing is 2 , which for 4 0 bit DES key with M=3 
2 5 observations, is P=3 . 55xl0~ 15 . Conversely, the 

probability of the same F bits not agreeing is 
P=99. 9999999999996%. The attacker therefore knows 
the number and position of fixed bits after very few 
observations, and can adjust the attack strategy to 
30 reduce his work factor. 

In the above case, Rt keys are sufficient for an 
attacker to know that all keys are only 4 0 bits long 
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for a value of t that is very small. once this is 
known, the attacker knows that the number of required 
guesses to determine a key with certainty is reduced 
to 2 from 2 B . For the 40 bit DES example, this is 
5 a gain to the attacker in the form of a 99.9984741% 

reduction in effort. 

As discussed, many governmental agencies require 
a work factor corresponding, at most, to a 40 bit key 
system. But, the attacker should not be able to take 
10 advantage of the fact that a 4 0-bit key work factor 

exists, even if it is public knowledge. That is, 
even if an attacker knows that the key space of the 
cryptographic key can- be reduced, the attacker does 
not possess the knowledge to obtain this reduction. 
However, the governmental agency can be provided with 
the additional information that allows it to face a 
system with only a work factor corresponding to 40- 
bit keys, while the attacker faces a system with a 
work factor corresponding to a much larger key, such 
2 0 as 56 or 64 bits. 

Since the total keys that can be observed at a 
time t is Rt, it is desirable to make the work factor 
W > Rt by some comfortable protection factor P. To 
assure this is true for the useful lifetime of the 
25 cryptosystem, we should have w > RZ, where Z is the 

lifetime. Assuming Z - 10 years or 3.l5xl0 8 seconds 

(8.75X10 4 days), the limitation on W becomes W > 
8 

PxRx3. 15x10 , which gives the inverse relationship 
P=W/(Rx3.15xl0 8 ) , shown in Table I, below. 
30 Table I, which assumes a lifetime Z of 10 years, 

indicates the protection factor P for a rate of key 
change R, and for a work factor W dictated by 
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governmental regulations. As> shown, the rate of 
change R of a key is inversely proportional to a 
protection factor p for a given number of available 
keys. The number of available unique keys, such as W 
or S, corresponds to the work factor since it 
indicates the amount of work required to determine a 
key. For example, with a work factor W, each key may 
assume one of W possible variations. with a work 
factor S, there may be S possible key variations. P 
is the ratio of the number of available keys to the 
number of keys visible over the lifetime of the 
cryptosystem (e.g., P=W/RZ) . For example, for a 40- 
bit DES system with W=2 40 available keys, a key rate 
of change R-0.01 kps, and a lifetime z=10 years, the 
protection factor P=3.5xl0 4 . 



Table I 



Protection Factor P for Rates R and W ork W 

) 16 
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per sec) 
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Shading indicates Protection factors P less than or about 1 



It is desirable to have a large protection 
factor (e.g., P»l) to maintain a large number of 
unused keys throughout the lifetime of the system and 
to avoid the need to repeat a key. Thus, for a given 



3NSDOCID: <WO 9705720A2_1_> 



WO 97/05720 



PCT/US96/I2296 



13 



W, more protection is afforded with a lower rate of 
change R or lifetime Z, since a lower R provides 
fewer keys for an attacker to use, and a shorter 
lifetime Z reduces the available time for an attacker 
5 to compromise the system. Alternatively, a larger W 

will also yield a larger protection factor P. 

Note that it is possible for a governmental 
agency to require a relatively small value of W 
(e.g., W=32) . in this case, up to 2 32 distinct 
10 cryptographic keys from S possible keys are 

available. With a small W, the system can be 
compromised relatively easily, and the system is said 
to be degenerate. Thus, even with a large protection 
factor, it should be noted that the system may still 
15 be compromised if w is small enough. 

The present invention maintains a sufficiently 
large protection factor P while conforming to 
governmental regulations by limiting the number of 
available keys. Keys are provided having an actual 
2 0 length B, but an effective length N, since only 2 N 

different keys are available. The governmental 
agency is given information, such as a secret 
distribution or hash key, that allows it to determine 
this list of 2 N keys. The present invention thus 
25 provides a method and apparatus for concealing the 

fact that a B-bit key has a work factor associated 
with a N-bit key rather than a B-bit key. with F 
bits fixed, only W=2 B ~ F =2 N different keys are 
possible instead of S=2 B . To preclude detection of 
the scheme, the same F bits cannot be fixed in each 
key. a governmental agency can still decode the 
system as if it had W possible keys by providing a 
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list of the W keys which were selected from the S 
possible keys. As long as it is known that all keys 
in use in the cryptosystem are on the list, no more 
than W attempts will be required to decode a key. 
5 However, it is problematic to simply store W 

keys since, for DES keys with 40 bits, W=2 40 =ixl0 12 
bits, which would require roughly 8 million megabytes 
of storage. Thus, a scheme is required to provide a 
way to know the entire list of W keys without 
10 actually storing the keys themselves. 

Figure 1 is a block diagram of an encryption 
system in accordance with the present invention. An 
information source 110 provides a clear text 
information sequence via line 112 for encryption by 
15 encryptor 115. The information sequence may 

comprise, for example, a stream of binary data. A 
key sequence generator 125 provides a plurality of 
cryptographic keys (program keys) via lines 127 and 
129 for use by the encryptor 115. The program keys 
themselves are encrypted by an encryptor 130 under 
the control of an access control key provided by 
access control key generator 135 via line 137. The 
encrypted program keys are then sent via line 132 to 
multiplexer 12 0 where the cipher text and encrypted 
program keys are multiplexed to provide an encrypted 
data stream for transmission to a receiver or storage 
on a storage medium. 

In operation, the key sequence generator 125 
generates a sequence of cryptographic keys which is 
used to encrypt the program material 110. The keys 
are unique and have B bits, with a work factor of up 
to S=2 . For instance, with B=56, up to 2 56 
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different keys may be produced. The access control 
key from generator 135 is periodically changed and 
distributed to subscribers. For example, the access 
control key might be a key which changes monthly and 
is distributed to paying subscribers, while the 
program key might change once each second (R=i kps) 
and is distributed in encrypted form along with the 
information source. The present invention is 
embodied, in part, in a key generation system such as 
might be used for realizing key sequence generator 
125 or access control key generator 135. 

Figure 2 is a block diagram of a decryption 
system in accordance with the present invention. An 
encrypted data stream including cipher text and the 
encrypted program keys are received by demultiplexer 
210. The demultiplexer 210 provides the cipher text 
to decryptor 220 via line 214, while the encrypted 
program key is provided to decryptor 230 via line 
212. The decryptor 230 decrypts the program key and 
provides it to the decryptor 220 via line 232. The 
decryptor 220 then decrypts the cipher text to 
recover the clear text information sequence. The 
decryptor 230 operates under the control of an access 
control key provided via line 242 by access control 
25 key generator 240. The access control key generator 

is responsive to an input signal received via 
terminal 250. The signal may be delivered from the 
transmitter to the receiver in the encrypted data 
stream (either in-band or out-of-band) or via a 
separate key distribution system (not shown) . 

Figure 3 is a block diagram of a key sequence 
generation method in accordance with the present 
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invention. At block 310, a first B-bit key with a 

work factor of up to S=2 B is generated using, for 

example, a random or non-random key generator. Next, 

at block 320, the key space is reduced from a key 

space of an S-bit key to a key space of an N-bit key, 

with an associated work factor of up to W=2 N , where 

N<B and W<S. For example, B-56, S=2 56 , N -40, and 
40 

W-2 . Block 320 employs, for example, AND functions 
C'ANDing"), OR functions ("ORing"), hashing, 
public key encryption, exponentiation, list 
arrangement, Boolean operations, arithmetic 
operations, modulo operations, and table look-up 
operations to provide a reduced key space. The 
function 320 is responsive to the work factor W, 
which is indicative of the amount of work that must 
be done to decode the keys. The required work factor 
W is determined typically by governmental 
regulations. 

Next, at block 330, the key space of the N-bit 
key is distributed (e.g., "scattered") over a key 
space of a B-bit key space to provide up to 2 N 
different B-bit keys. A B-bit key space comprises 
all 2 possible sequences of B bits which could 
constitute a key. The distribution may be 
accomplished using a number of techniques, including 
ANDing, ORing, hashing, public key encryption, 
exponentiation, list arrangement, Boolean operations, 
arithmetic operations, modulo operations, and table 
look-up operations to provide the B-bit cryptographic 
key. In the embodiment shown, block 33 0 uses a 
hashing key K. 
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At block 340, the B-bit keys are used to encrypt 
information, in accordance with the invention, since 
each key has B-bits, the work factor to decode the 
system appears to an attacker as S=2 B since he does 
5 not know the hashing key. However, with knowledge of 

the hashing key, a government agency will face a work 
factor of only W=2 N . Accordingly, the seemingly 
contradictory goals of reducing the work factor 
without reducing the protection factor can be 
10 realized. 

An attacker who observes the keys output after 
hashing with K cannot determine that only W unigue 
keys exist without knowing K. Furthermore, if the 
distribution hash function is a one way function, 
then the number of unigue keys w cannot be determined 
at all even when K is known. This forces the 
attacker to guess the number of keys and hash forward 
to compare with his observations. The attacker can 
make no assumption about the number of keys based on 
the observed keys, so he must expend an amount of 
work S which is much greater than W. The reduction 
in strength of the system due to the use of fixed 
bits in the keys is invisible to the attacker. 

Note that while Figure 3 provides a method for 
providing W keys as a subset of S keys, in practice 
it is not necessary to generate all S keys to provide 
the W keys used for encryption. That is, the 
procedure can be accomplished on a key-by-key basis. 
For instance, a single B-bit key can be generated at 
3 0 block 310. The key space can then be reduced to N 

bits at block 320. Then, at block 330, the N bit key 
is mapped to a B bit key under the control of the 
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hashing key, thereby providing a B-bit key with an 
apparent size of B-bits and an effective size of N 
bits. At block 340, the new B-bit key is used to 
encrypt the information. 

Figure 4 is a block diagram of a key sequence 
generator in accordance with the present invention. 
The key sequence generator comprises a Key Generator, 
a Key Space Reducer, and a Key Value Hash Function. 
An initialization vector (IV) is input to terminal 
402, then provided to DES key generator 420 via 
terminals 405 and 415 of switch 410. DES key 
generators 42 0 and 425 receive Key 1 and Key 2, 
respectively, via terminals 422 and 424. The IV, Key 
1 and Key 2 are known and supplied, for example, by a 
governmental agency. DES generator 4 20 uses the IV to 
generate a key that is used, in turn, by DES 
generator 42 5 to generate another key which is 
provided to AND function 435 via line 427. After the 
IV has been used by DES generator 4 20, the switch 410 
is activated to couple terminals 415 and 417 and 
decouple terminals 4 05 and 415. DES generator 420 
then receives the output of DES generator 425 as a 
feedback signal via line 428 and terminal 415, and 
continues to generate additional keys. 

A Key Space Size input variable (e.g., sequence 
of bits) is provided via terminal 4 30 and line 432 to 
the AND gate 435. N denotes the number of ones in a 
given sequence of the input variable. When the input 
variable bit on line 432 is a one, the bit on line 
427 will pass through the AND gate 4 35 unchanged. 
However, when the input variable is a zero, the bit 
on line 427 will be set to zero by the AND gate 435. 



JNSDOCiD: -WO 9705720A2_I_> 



WO 97/05720 



PCT/US96/12296 



19 



10 



The Key Generator section of the key sequence 
generator of Figure 4, including DES generators 420 
and 425, can generate up to 2 B distinct programmable 
keys. B is an integer less than or equal to 64, for 
example. in particular, with B=64 , the key generator 
can supply up to about 2 63 random 64 -bit values under 
the control of the fixed and known IV and Keys 1 and 
2. The Key Space Reducer AND gate 4 35 reduces the 
P ° SS 64 le values out P ut from the generator from 
{0:2 -1} to {0:2 N -1}, where N=B-F is the number of 
ones in the key space size input variable. For 
instance, with F=16 fixed bits, N=64-16=48 bits. 

Note that the Key Generator section shown 
performs double DES operations since there are two 
15 DES generators, 420 and 4 25. This system is 

theoretically vulnerable to so-called meet-in-the- 
roiddle attacks. However, this type of attack 
requires 2 68 or 2.95xl0 20 bytes of memory storage, 
and is therefore considered highly remote. An 
additional DES generator can be provided to provide 
triple operations to avoid this abstract concern. 

The reduced output key from the AND gate 435 is 
provided via line 4 37 to the Key Value Hash section. 
In particular, the key is received by DES generator 
450, which is responsive to Key 3 provided via 
terminal 440. DES generator 450 provides a key to 
DES generator 455, which is responsive to Key 4 
provided via terminal 44 5. Keys 3 and 4 are known to 
the relevant government agency. A key is then 
provided via line 456 to an adder 460. Adder 460 also 
receives a feed-forward signal via line 457, and 
outputs the final B-bit cryptographic key via line 
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465. With B=64, a 64-bit key is provided via line 
465. Optionally, a Drop Byte function 470 receives 
the 64-bit key via line 467, and drops eight of the 
bits to provide a 56-bit key via line 475. In this 
manner, the same encryption engine may provide 
different key sizes as required by governmental 
regulations. The cryptographic keys are then used by 
an encryptor such as the encryptor 115 of Figure 1. 

The double DES Key Value Hash under fixed and 
known Keys 3 and 4 distributes the reduced set of 2 N 
keys randomly over 2 values, making prediction 
extremely difficult for an attacker. Keys of any 
size can be generated in this way, either by using 
less than 64 bits of a single output, or by using 
multiple outputs to assemble keys longer than 64 
bits. 

As can be seen, the present invention provides a 
method and apparatus for maintaining the protection 
factor of a cryptographic system while reducing the 
work factor to a level required by governmental 
regulations. The invention thus allows a 
cryptographic system with an encryption engine that 
can be used for both domestic and foreign 
applications, with the only difference being a 
programming modification at the time of creation of 
the system. This is accomplished using a 
cryptographic distribution function that selects N- 
bit keys randomly from up to S possible B-bit keys, 
where N<B. The key space of the N-bit keys is then 
randomly distributed over a key space corresponding 
to B-bit keys such that the presence of the fixed 
bits cannot be ascertained without knowing the 
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cryptographic keys used in the distribution function. 
Selection and distribution may also be non-random. 
Furthermore, knowledge of the distribution function 
itself is useless without knowledge of the keys used 
with it. 

Although the invention has been described in 
connection with various specific embodiments, those 
skilled in the art will appreciate that numerous 
adaptations and modifications may be made thereto 
without departing from the spirit and scope of the 
invention as set forth in the claims. For instance, 
the number of bits in each key may vary. Moreover, 
it is possible to extend the inventive concept to 
provide keys with more than two different work 
factors by providing a corresponding number of secret 
distribution keys. Furthermore, although the 
invention has been discussed primarily in conjunction 
with a DES-type private key cryptographic system, the 
invention is also applicable to other cryptographic 
systems, including public key systems. With a public 
key system, the relationship between the bit size and 
the key space is somewhat more complex. Generally, 
compared to a symmetric block cypher such as a DES 
system, the bit length of the public key must be 
several times larger to provide the same key space 
size. 
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CLAIMS: 

1* A method for providing a cryptographic key 
for cryptographically processing information, said 
method comprising the steps of: 

generating a first key according to a key 
generator scheme; 

reducing a key space of said first key in 
accordance with a key space reduction scheme; and 

distributing said reduced key space over a 
larger key space in accordance with a key space 
distribution scheme to provide said cryptographic 
key; wherein: 

said cryptographic key has an associated first 
work factor for a person without knowledge of said 
key space distribution scheme; and 

said cryptographic key has an associated second 
work factor which is less than said first work factor 
for a person with knowledge of said key space 
distribution scheme. 

2. The method of claim 1, wherein said larger 
key space is indicative of said first work factor; 
and 

said reduced key space is indicative of said 
second work factor. 

3. The method of claim 1, wherein said second 
work factor is substantially the same as a work 
factor of said reduced key space, 

4. The method of claim 1, wherein said key 
generator scheme generates said first key randomly. 
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5. The method of claim 1, wherein said key 
space reducing scheme comprises the step of 
performing at least one of: 

ANDing, ORing, hashing, public key encryption, 
exponentiation, list arrangement, Boolean operations, 
arithmetic operations, modulo operations, and table 
look-up operations on said first key to provide said 
reduced key space. 

6. The method of claim 1, wherein said key 
space distribution scheme comprises the step of: 

providing a hashing key; and 

distributing said reduced key over said larger 
key space in accordance with said hashing key to 
provide said cryptographic key. 

7. The method of claim 1, wherein said key 
space distribution scheme comprises the step of: 

substantially randomly distributing said reduced 
key space over said larger key space to provide said 
cryptographic key. 

S. The method of claim 1, wherein said key 
space distribution scheme comprises the step of 
performing at least one of: 

ANDing, ORing, hashing, public key encryption, 
exponentiation, list arrangement, Boolean operations, 
arithmetic operations, modulo operations, and table 
look-up operations on said reduced key to provide 
said cryptographic key. 

9. The method of claim l, comprising the 
further step of: 

dropping bits from said cryptographic key to 
provide a reduced bit length cryptographic key. 
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10. The method of claim 1, comprising the 
further steps of: 

providing a key space size input variable; and 
controlling a size of said reduced key space in 
accordance with said input variable. 

11. The method of claim 10, wherein said key 
space reducing scheme comprises at least one of: 

AKDing and ORing of said input variable with 
said first key to provide said reduced key space. 

12. The method of claim 1, wherein said 
cryptographic key is a B-bit key, and said first work 
factor is no greater than S=2 B . 

13. The method of claim 12, wherein said 
reduced key space corresponds to a key space of a 
(B-F)-bit key; and 

said second work factor is no greater than 
w=2 B ~ F . 

14. Apparatus for providing a cryptographic key 
for cryptographically processing information, 
comprising: 

a key generator for generating a first key 
according to a key generator scheme; 

a key space reducer operatively associated with 
said key generator for reducing a key space of said 
first key in accordance with a key space reducing 
scheme ; and 

a key distributor operatively associated with 
said key space reducer for distributing said reduced 
key space over a larger key space in accordance with 
a key space distribution scheme to provide said 
cryptographic key; wherein: 
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said cryptographic key has an associated first 
work factor for a person without knowledge of said 
key space distribution scheme; and 

said cryptographic key has an associated second 
work factor which is less than said first work factor 
for a person with knowledge of said key space 
distribution scheme. 

15. The apparatus of claim 14, wherein said 
larger key space is indicative of said first work 
factor ; and 

said reduced key space is indicative of said 
second work factor. 

16. The apparatus of claim 14, wherein said 
second work factor is substantially the same as a 
work factor of said reduced key space. 

17. The apparatus of claim 14, wherein said key 
space reducer comprises: 

means for performing at least one of ANDing, 
ORing, hashing, public key encryption, 
exponentiation, list arrangement, Boolean operations, 
arithmetic operations, modulo operations, and table 
look-up operations on said first key to provide said 
reduced key space. 

18. The apparatus of claim 14, wherein said key 
space distributor comprises: 

means for performing at least one of ANDing, 
ORing, hashing, public key encryption, 
exponentiation, list arrangement, Boolean operations, 
arithmetic operations, modulo operations, and table 
look-up operations on said reduced key to provide 
said cryptographic key. 
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19. The apparatus of claim 14, further 
comprising: 

means for providing a key space size input 
variable to said key space reducer; wherein 

said key space reducer controls the size of said 
reduced key space in accordance with said input 
variable. 

20. The apparatus of claim 19 f wherein said key 
space reducer comprises at least one of an AND gate 
and an OR gate for ANDing and ORing, respectively, of 
said input variable with said first key to provide 
said reduced key space. 

21. Apparatus for providing a cryptographic key 
for cryptographically processing information, 
comprising: 

means for a receiving a first cryptographic 
signal ; and 

means responsive to said first cryptographic 
signal for generating said cryptographic key, 
wherein: 

said cryptographic key has an associated first 
work factor for a person without knowledge of said 
first cryptographic signal; and 

said cryptographic key has an associated second 
work factor which is smaller than said first work 
factor for a person with knowledge of said first 
cryptographic signal. 

22 . A method for providing a cryptographic key 
for cryptographically processing information, 
comprising the steps of: 

receiving a first cryptographic signal; and, 
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generating said cryptographic key in response to 
said first cryptographic signal, wherein: 

said cryptographic key has an associated first 
work factor for a person without knowledge of said 
first cryptographic signal; and 

said cryptographic key has an associated second 
work factor which is smaller than said first work 
factor for a person with knowledge of said first 
cryptographic signal. 
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